b'                                                     U.S. OFFICE OF PERSONNEL MANAGEMENT\n                                                           OFFICE OF THE INSPECTOR GENERAL\n                                                                            OFFICE OF AUDITS\n\n\n\n                                   Final Audit Report\n\n Subject:\n\n      AUDIT OF INFORMATION SYSTEMS\n GENERAL AND APPLICATION CONTROLS AT THE\nGOVERNMENT EMPLOYEES HEALTH ASSOCIATION\n\n\n                                            Report No. 1B-31-00-11-066\n\n                                            Date:                August 9, 2012\n\n\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                                       Audit Report\n\n\n              FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM\n                            CONTRACT 1063\n           THE GOVERNMENT EMPLOYEES HEALTH ASSOCIATION\n                                                      PLAN CODE 31\n                       LEE\xe2\x80\x99S SUMMIT & INDEPENDENCE, MISSOURI\n\n\n\n\n                                          Report No. 1B-31-00-11-066\n\n                                          Date:                August 9, 2012\n\n\n\n\n                                                                                             ________________________\n                                                                                             Michael R. Esser\n                                                                                             Assistant Inspector General\n                                                                                               for Audits\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal and Non-Federal officials who are responsible for the administration of the audited\ncontract. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit\nreport is available under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be\nexercised before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly\ndistributed copy.\n\x0c                                   Executive Summary\n\n\n          FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM\n                        CONTRACT 1063\n        THE GOVERNMENT EMPLOYEES HEALTH ASSOCIATION\n                                       PLAN CODE 31\n                 LEE\xe2\x80\x99S SUMMIT& INDEPENDENCE, MISSOURI\n\n\n\n\n                               Report No. 1B-31-00-11-066\n\n                               Date:          August 9, 2012\n\n\nThis final report discusses the results of our audit of general and application controls over the\ninformation systems at the Government Employees Health Association (GEHA).\n\nOur audit focused on the claims processing applications used to adjudicate Federal Employees\nHealth Benefits Program (FEHBP) claims for GEHA, as well as the various processes and\ninformation technology (IT) systems used to support these applications. We also conducted a\nsignificant follow-up review of prior audit recommendations from our 2006 IT audit.\n\nIn 2006 a substantial number of recommendations were made that collectively identified a\nsignificant weakness in GEHA\xe2\x80\x99s management of IT security. GEHA lacked the critical policies\nand procedures necessary for an entity-wide security program. Furthermore, they did not have\nthe appropriate resources, both tangible and personnel, to ensure the protection of member data\nand successful processing of FEHBP claims. During our follow-up review, we determined that\nthese long standing weaknesses have not been addressed and prior audit recommendations had\nbeen prematurely closed by OPM. While the audit work conducted during this review showed\nvery recent steps taken by GEHA management to develop an improved IT security program,\ncurrently there are significant weaknesses that still threaten the privacy and security of FEHBP\n\n\n\n                                                  i\n\x0cdata and member PII. We documented controls in place and opportunities for improvement in\neach of the areas below.\n\nSecurity Management\nGEHA has established a series of IT policies and procedures to create an awareness of IT\nsecurity at the Plan. However, GEHA has not developed a Rules of Behavior agreement that all\nemployees are required to sign.\n\nAccess Controls\nWe found that GEHA has implemented numerous controls related to the process of granting\nphysical access to its data center, as well as logical controls to encrypt sensitive information.\nHowever, we did note multiple opportunities for improvement related to GEHA\xe2\x80\x99s physical and\nlogical access controls.\n\nConfiguration Management\nGEHA has developed formal policies and procedures providing guidance to ensure that system\nsoftware is appropriately configured and updated, as well as for controlling system software\nconfiguration changes. However, we noted numerous weaknesses in GEHA\xe2\x80\x99s configuration\nmanagement program. The weaknesses were severe enough to consider the program a\nsignificant deficiency in GEHA\xe2\x80\x99s ability to securely process sensitive FEHBP data.\n\nContingency Planning\nWe reviewed GEHA\xe2\x80\x99s business continuity plans and concluded that they contained most of the\nkey elements suggested by relevant guidance and publications. We also determined that these\ndocuments are reviewed and updated on a periodic basis. However, GEHA does not perform\nroutine disaster recovery testing on its distributed server environment.\n\nApplication Controls\nGEHA has implemented many controls in its claims adjudication process to ensure that FEHBP\nclaims are processed accurately. However, we recommended that GEHA implement several\nsystem modifications to ensure that its claims processing systems adjudicate FEHBP claims in a\nmanner consistent with the OPM contract and other regulations.\n\nHealth Insurance Portability and Accountability Act (HIPAA)\nNothing came to our attention that caused us to believe that GEHA is not in compliance with the\nHIPAA security, privacy, and national provider identifier regulations.\n\n\n\n\n                                                 ii\n\x0c                                                                 Contents\n                                                                                                                                               page\nExecutive Summary .......................................................................................................................... i\n  I. Introduction................................................................................................................................1\n      Background ............................................................................................................................... 1\n      Objectives ................................................................................................................................. 1\n      Scope ......................................................................................................................................... 2\n      Methodology ............................................................................................................................. 2\n      Compliance with Laws and Regulations................................................................................... 3\nII. Audit Findings and Recommendations .....................................................................................4\n      A. Security Management .......................................................................................................... 4\n      B. Access Controls .................................................................................................................... 5\n      C. Configuration Management................................................................................................ 13\n      D. Contingency Planning ........................................................................................................ 18\n      E. Application Controls .......................................................................................................... 20\n      F. Health Insurance Portability and Accountability Act ......................................................... 25\nIII. Major Contributors to This Report ...........................................................................................26\n\n\n Appendix: Government Employees Health Association\xe2\x80\x99s May 10, 2012 response to the draft\n audit report issued March 14, 2012.\n\x0c                                      I. Introduction\nThis final report details the findings, conclusions, and recommendations resulting from the audit\nof general and application controls over the information systems responsible for processing\nFederal Employees Health Benefits Program (FEHBP) claims at the Government Employees\nHealth Association (GEHA).\n\nThe audit was conducted pursuant to FEHBP contract 1063; 5 U.S.C. Chapter 89; and 5 Code of\nFederal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office of\nPersonnel Management\xe2\x80\x99s (OPM) Office of the Inspector General (OIG), as established by the\nInspector General Act of 1978, as amended.\n\nBackground\nThe FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on\nSeptember 28, 1959. The FEHBP was created to provide health insurance benefits for federal\nemployees, annuitants, and qualified dependents. The provisions of the Act are implemented by\nOPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance\ncoverage is made available through contracts with various carriers that provide service benefits,\nindemnity benefits, or comprehensive medical services.\n\nThe last OIG audit of general and application controls at GEHA occurred in 2006. While the\naudit was closed in 2006 by the audit resolution group in OPM\xe2\x80\x99s Healthcare and Insurance\nOffice, we did a full review of all recommendations from the 2006 audit. We determined that\nseveral recommendations were inappropriately closed and that numerous weaknesses were not\nremediated until after 2009. Several recommendations should still be open and have been rolled\nforward within this report.\n\nThe business processes related to the scope of this audit are primarily located at GEHA\xe2\x80\x99s Lee\xe2\x80\x99s\nSummit and Independence, Missouri facilities. GEHA has two data centers supporting FEHBP\nprocesses in the greater Kansas City, Missouri area. Employees responsible for processing\nFEHBP claims are predominantly located in Independence, Missouri. The majority of claim\noutput is printed and mailed at a contractor facility in St. Louis, Missouri. Several PPO\ncontractor networks are also utilized to perform functions related to both claims input and output.\n\nAll GEHA personnel that worked with the auditors were particularly helpful and open to ideas\nand suggestions. They viewed the audit as an opportunity to examine practices and to make\nchanges or improvements as necessary. Their positive attitude and helpfulness throughout the\naudit was greatly appreciated.\n\nObjectives\nThe objectives of this audit were to evaluate controls over the confidentiality, integrity, and\navailability of FEHBP data processed and maintained in GEHA\xe2\x80\x99s information technology (IT)\nenvironment.\n\n\n\n                                                1\n\x0cThese objectives were accomplished by reviewing the following areas:\n\xe2\x80\xa2   Security management;\n\xe2\x80\xa2   Access controls;\n\xe2\x80\xa2   Segregation of duties;\n\xe2\x80\xa2   Configuration management;\n\xe2\x80\xa2   Contingency planning;\n\xe2\x80\xa2   Application controls specific to GEHA\xe2\x80\x99s claims processing systems; and,\n\xe2\x80\xa2   HIPAA compliance.\n\nScope\nThis performance audit was conducted in accordance with generally accepted government\nauditing standards issued by the Comptroller General of the United States. Accordingly, the OIG\nobtained an understanding of GEHA\xe2\x80\x99s internal controls through interviews and observations, as\nwell as inspection of various documents, including information technology and other related\norganizational policies and procedures. This understanding of GEHA\xe2\x80\x99s internal controls was\nused in planning the audit by determining the extent of compliance testing and other auditing\nprocedures necessary to verify that the internal controls were properly designed, placed in\noperation, and effective.\n\nThe OIG evaluated the confidentiality, integrity, and availability of GEHA\xe2\x80\x99s computer-based\ninformation systems used to process FEHBP claims, and found that there are opportunities for\nimprovement in the information systems\xe2\x80\x99 internal controls. These areas are detailed in the\n\xe2\x80\x9cAudit Findings and Recommendations\xe2\x80\x9d section of this report.\n\nThe scope of this audit centered on the          claims processing system (and the IT\nenvironment that supports it) used by GEHA to process FEHBP claims.\n\nIn conducting our audit, we relied to varying degrees on computer-generated data provided by\nGEHA. Due to time constraints, we did not verify the reliability of the data used to complete\nsome of our audit steps but we determined that it was adequate to achieve our audit objectives.\nHowever, when our objective was to assess computer-generated data, we completed audit steps\nnecessary to obtain evidence that the data was valid and reliable.\n\nThe audit was performed at GEHA offices in Lee\xe2\x80\x99s Summit, Missouri, and Independence,\nMissouri. These on-site activities were performed in September and October 2011. The OIG\ncompleted additional audit work before and after the on-site visits at OPM\xe2\x80\x99s office in\nWashington, D.C. The findings, recommendations, and conclusions outlined in this report are\nbased on the status of information system general and application controls in place at GEHA as\nof December 15, 2011.\n\nMethodology\nIn conducting this review the OIG:\n\xe2\x80\xa2   Gathered documentation and conducted interviews;\n\xe2\x80\xa2   Reviewed GEHA\xe2\x80\x99s business structure and environment;\n\n                                               2\n\x0c\xe2\x80\xa2   Performed a risk assessment of GEHA\xe2\x80\x99s information systems environment and applications,\n    and prepared an audit program based on the assessment and the Government Accountability\n    Office\xe2\x80\x99s (GAO) Federal Information System Controls Audit Manual (FISCAM); and\n\xe2\x80\xa2   Conducted various compliance tests to determine the extent to which established controls and\n    procedures are functioning as intended. As appropriate, the auditors used judgmental\n    sampling in completing their compliance testing.\n\nVarious laws, regulations, and industry standards were used as a guide in evaluating GEHA\xe2\x80\x99s\ncontrol structure. This criteria includes, but is not limited to, the following publications:\n\xe2\x80\xa2   Office of Management and Budget (OMB) Circular A-130, Appendix III;\n\xe2\x80\xa2   OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of\n    Personally Identifiable Information;\n\xe2\x80\xa2   Information Technology Governance Institute\xe2\x80\x99s CobiT: Control Objectives for Information\n    and Related Technology;\n\xe2\x80\xa2   GAO\xe2\x80\x99s Federal Information System Controls Audit Manual;\n\xe2\x80\xa2   National Institute of Standards and Technology\xe2\x80\x99s Special Publication (NIST SP) 800-12,\n    Introduction to Computer Security;\n\xe2\x80\xa2   NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information\n    Technology Systems;\n\xe2\x80\xa2   NIST SP 800-30, Risk Management Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;\n\xe2\x80\xa2   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems;\n\xe2\x80\xa2   NIST SP 800-61, Computer Security Incident Handling Guide;\n\xe2\x80\xa2   NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA\n    Security Rule; and\n\xe2\x80\xa2   HIPAA Act of 1996.\n\nCompliance with Laws and Regulations\nIn conducting the audit, the OIG performed tests to determine whether GEHA\xe2\x80\x99s practices were\nconsistent with applicable standards. While generally compliant, with respect to the items tested,\nGEHA was not in complete compliance with all standards as described in the \xe2\x80\x9cAudit Findings\nand Recommendations\xe2\x80\x9d section of this report.\n\n\n\n\n                                                3\n\x0c                      II.     Audit Findings and Recommendations\nA. Security Management\n  The security management component of this audit involved the examination of the policies and\n  procedures that are the foundation of GEHA\xe2\x80\x99s overall IT security controls. We evaluated\n  GEHA\xe2\x80\x99s ability to develop security policies, manage risk, assign security-related responsibility,\n  and monitor the effectiveness of various system-related controls.\n\n  GEHA has implemented a series of formal policies and procedures that comprise a\n  comprehensive security management program. GEHA\xe2\x80\x99s security management program is led by\n  the company\xe2\x80\x99s IT professionals whose responsibilities include creating policies to protect against\n  threats or improper use of sensitive data and HIPAA compliance. All policies and procedures are\n  approved by an executive committee before they are published and posted on the company\n  intranet. GEHA has also developed a thorough risk management methodology, and has\n  procedures to document, track, and alleviate or accept identified risks.\n\n  We also reviewed GEHA\xe2\x80\x99s human resources policies and procedures related to hiring, training,\n  transferring, and terminating employees. However, we found that GEHA has not developed a\n  rules of behavior agreement for information and information system usage.\n\n  NIST Special Publication 800-53 Revision 3, Recommended Security Controls for Federal\n  Information Systems (NIST SP 800-53) states that \xe2\x80\x9cThe organization: Establishes and makes\n  readily available to all information system users, the rules that describe their responsibilities and\n  expected behavior with regard to information and information system usage; and receives signed\n  acknowledgment from users indicating that they have read, understand, and agree to abide by the\n  rules of behavior, before authorizing access to information and the information system.\xe2\x80\x9d\n\n  Without clearly defining their rules of behavior the organization increases the risk of employees\n  sharing account access information, downloading malicious software, sharing personally\n  identifiable information, and general improper use of information systems.\n\n  Recommendation 1\n  We recommend GEHA develop a rules of behavior agreement and require all employees to sign\n  the document.\n\n  GEHA Response:\n  \xe2\x80\x9cGEHA has an extensive orientation process where new hires are trained on various policies\n  and procedures and are required to sign Acknowledgement of Responsibility forms. These\n  acknowledgements encompass what one rules of behavior document would address.\xe2\x80\x9d\n\n  OIG Reply:\n  We have received evidence that this recommendation has been implemented; no further action is\n  required.\n\n\n\n                                                    4\n\x0cB. Access Controls\n  Access controls are the policies, procedur es, and techniques used to prevent or detect\n  unauthorized physical or logical acce ss to sensitive resources.\n\n  We examin ed the physical access controls ofGEHA\' s data centers, the Independence cla ims\n  processin g facility, and two Lee\' s Summit office buildings . We also examined the logical\n  controls protecting sensitive data on GEHA \' s network environment and claims processin g\n  related applications.\n\n  In addition, we conducted a network topology scan to verify that all known assets were included\n  within GEHA \' s system inventory list.\n\n  The acce ss controls observed during this audit include , but are not limited to:\n  \xe2\x80\xa2   Procedures for appropriately granting physical acce ss to facilitie s and data centers;\n  \xe2\x80\xa2   Procedures for revokin g access to data centers for terminated empl oyees;\n  \xe2\x80\xa2   Procedures for removing _ network access for terminated employees; and,\n  \xe2\x80\xa2   Controls to monitor an d filter email and Intern et activity.\n\n  The following sections document several opportunities for improvement related to GEHA \' s\n  physical and logical acce ss controls.\n\n  1. Facility Physical Access Controls\n      The physical acce ss controls at GEHA \' s facilities could be improved.\n\n      All of the facilities we visited utilize some form 0\n      the building during off-peak working hours.\n      working hours. GEHA has a receptionist at each facility, but does not\n\n\n\n                                     Empl oyees are required to\n                     but there are no physical controls in place to ensure that every individual\n      o ows t us procedure.\n\n      We expect all FEHEP contractors to, at a minimum, have card reader controlled turnstile\n      gates at facility entrances and multi-factor authentication at data center entrances (e.!, ci\n                                                                                                 !her\n      lock or biometric device in addition to an access card). In addition to implementin g\n                          , GEHA should ana lyze the benefit of implementing the commo n p rysical\n      access controls listed below that we typically see at other FEHBP carrier facilitie s.\n\n      Common Data Center Controls\n\n      \xe2\x80\xa2\n\n\n\n                                                    5\n\n\x0c\xe2\x80\xa2\n\xe2\x80\xa2\n\n\xe2\x80\xa2\n\xe2\x80\xa2\n\xe2\x80\xa2\nComlllon Office Building Controls\n\n\xe2\x80\xa2                                                    , and ,\n\xe2\x80\xa2\nFISCAM states that "Controls should acc ommodate employees who work at the enti ty \' s\nfacilities all an everyday basis; occasional visitors, such as emp loyees of another entity\nfacility or maintenance pe ople; and infrequent or unexp ected visitors. Physical secur ity\ncontrols vary, but include: manual door or cipher key locks, magnetic door locks that require\nthe use of electro nic keycards, bi ometrics authenticat ion, secur ity guards, photo IDs, entry\nlogs, and electronic and visual surveillance systems."\n\nIn addition, NIS T SP 800-53 provide s guidance for adequately controlling ph ysical acce ss to\ninformation systems containing sensitive data (see control PE-3, Physical Access Co ntrol).\n\nFailure to implem ent adequate physical access controls increases the risk that unauthorized\nindividuals can gain acce ss to GEHA facilities and the sensitive IT re sources and confident ial\ndata they contain .\n\nRecommendation 2\nWe recommend that GEHA rea ssess its faciliti es \' phy sical access ma nagement and\nimplement controls that will ensure ro er h sical securit . At a minimum , GE HA should\nimplement                                                                 multi-factor\nauthent ication e.g., crp ter                               men to an acce ss card) at data\ncente r entra nce s.\n\nGEHA Respous e:\n "GEHA is cu rrently reassessing facilities access at all ofonr locations and adding th e\nfollowing controls to increase physical security.\n    1.\n    2. Data Center - Multi-Factor A uthentication at Entrance (COi.lfPLETED) ...\n    3.\n    4.\n    5.\n\n\n\n                                              6\n\n\x0c   DIG ReplY:\n   As part of the audit resolution process, we reco mmend that GEHA provide OPM \'s\n   Health care and Insurance Office (HIO) with evidence that it has fully implemented eac h of\n   the chang es to the ph ysical security discussed in its response.\n\n2. Claim Storage Access Contr ols\n      er claim s containing sensitive information are stored\n                       However, GE HA does not separate access to\n                                      The claim s storage area is locke unng non- usme ss\n   hours, but during the day there are no ph ysical controls to separate the two areas.\n\n   FISCAM states that "Many of the control techniques for interior security are similar to those\n   for perime ter and entry security (for example, locks, surv eillance systems , as well as usin g\n   and controlling badges, ID cards, smartcards, passkey, and other entry dev ices) ."\n\n   Failure to restri ct acce ss to the claim s storage area increases the risk that un auth orized\n\n   employees can gain acce ss to sensitive data contained w ithin the room.\n\n\n   In addition, GE HA does not currently have a process in pl ace to monitor claim s file access.\n   There is no employee stationed within this area and claim files can be remo ved for\n   referencing. GEHA wa s unable to produce a cla ims file access log.\n\n   NIST SP 800-53 states that "The organization ... Controls access to area s officially\n   designated as pu blicly accessible in accordance with the organization \'s asse ssment of\n   risk.   "\n\n   Failure to monitor and track acce ss to claim files increases the risk that employees may\n   manipulate, damage, or lose the claim s.\n\n   Recommendation 3\n   We recommend that GEHA im\n\n   require access to the\n\n\n   GEHA Respouse:\n   "GEHA continues to keep this area locked during non-business hours and corrected this\n   concern in October 2011 by installing a latching system on the inside ofthe storage area\n   that prevents unsupervised access. "\n\n   DIG Reply:\n   The intent of this recommendation is to ensure that claim s are stored securely at all times, not\n   just during non-busine ss hours. As part of the audit resolution process, we recommend that\n   GE HA provide OPM \' s HIO with evidence that the claims are securely stored, preventing\n   un auth orized access to claim files at all times.\n\n\n\n                                                    7\n\n\x0c   Recommendation 4\n   We recommend that GEHA implement a process to m onitor and track access to cla im files.\n\n   GEHA Respouse:\n   "The area where the claims are kept is sep arated from the                            by a\n   locked door. A ccess to this area is restricted to a limited number ofclaims clerical staff.\n   There are no sign out pro cedures because claims leave this area only to be copied and\n   immediately returned to the locked room. "\n\n   DIG Reply:\n   As part of the audit resolution process, we reco mmend that GEHA provide OPM \'s HI D with\n   the policy detailing the requirement to ph otocopy and immediately retum claim s to storage.\n   Please also provide HID with the policy which instru cts GEHA employee s to properly\n   dispose of the claim form copies that contain PII.\n\n3. Logical Access Controls\n   ~ loye es         are terminated , GEHA \'s poli cy is to remove their accounts from the\n\n   _           claim s adjudication application.\n\n\n   We compared a list of recently terminated employe es to the active ~er list. We\n   discovered that 20 terminated employees still had active accounts ~ and that\n   several of those employee s had multiple active accounts.\n\n   Most of these individuals were term inated pri or to 20 10. Although GEHA \' s current process\n   appears to adequately remove _             acce ss for recentl y terminated users , it appears th at\n   there has never been an audit of old accounts to identify terminated users.\n\n   FISCAM states that "Inactive accounts and accounts for terminated indi viduals should be\n   disabled or removed in a timely mann er."\n\n   Recommendation 5\n   \\Ve recommend GEHA conduct a detailed access review audit of _                     user accounts\n   to identify account s with inapp ropri ate access.\n\n   GEHA Respouse:\n   "GEHA Security Operation s has taken multiple step s to better cOlllrol _            access.\n   JVe have reviewed access for nsers with administrative access and have removed access\n   that was inappropriate or no longer needed. To better establish and control access, we\n   have developed a series of user templates that determine access by position. In doing so we\n   have consulted with managers to verify access and remove any 1II111eeded access. JVe have\n   developed reporting from our payroll department that will allow us to better track nsers as\n   they move within the organization or terminate. We have reviewed all previously\n   terminated users to assure that all access has been removed. For auditing purposes it is\n   necessary to leave ID s for terminated employees in place, however, all access to the ID is\n\n\n                                                  8\n\n\x0c   removed, the account is locked, and the associated_user id is removed. This activity\n   has been completed."\n\n   DIG Reply:\n   As part of the audit resolution process, we rec ommend that GEHA provide OPM \'s HIO with :\n       \xe2\x80\xa2\t Samples of the user templates tha t determine acce ss by position ;\n       \xe2\x80\xa2\t Samples of the reports generated from the payroll department to track transferred and\n          terminated employees;\n       \xe2\x80\xa2\t Evidence of the access review that took place to ensure tenninated user ac ce ss was\n          appropr iately removed ; and,\n       \xe2\x80\xa2\t Evidence of the ongoing logical acce ss auditing for a period of six months .\n\n4.\t Incident Response and Intrusion Detection\n   GEHA has docum ente d incident response procedures and has installed an intrusion detection\n   system. However, the intru sion detection system has not been configured to optimize its\n   security feat ures . GEHA has recentl y installed next generation firewalls and moni toring\n   softw are that has the ab ility to prevent an d de tect intrusions, however it is not configu red for\n   the GEHA envir onment. Ac cording to GE HA , a contractor will be going on-s ite in the near\n   future to assist in configur ing the tools an d trai ning employees.\n\n   FISCAM states that contro l technique s for an effect ive incident re sponse pro gram include "a\n   means of prompt centra lized reporting; active monitoring of alerts and advisories; [and]\n   resp onse team mem bers with the necessary knowl edge, skills, and ab ilities ...."\n\n   Failur e to prop erl y configure incident re sponse and intru sion dete ction tools could allow\n   incidents and intru sions to go urun oni tored and unresolved. Thi s co uld lead to a loss of\n   sens itive resources.\n\n   Recommendation 6\n   We recommend that GEHA configure its intru sion detection tools to optitnize their\n\n   capa bilities.\n\n\n   GEH4 Respous e:\n   "GEHA uses a_firewall that includes intrusion detection capabilities. Th e\n   intrusion detection capabilities were recently activated and are being monitored to\n   determine effectiveness ill detecting kllOWII attacks. _ a re updated regularly to\n   assure that detection capabilities are current. The Se curity Operations team will assist the\n   Enterprise A rchitecture team ill flne-tuuing the detection capabilitie~\n   reveals chou es that call be made to im rove th e s \'stem\'s res onse. _\n\n\n5.\t Remote Access Authentication\n   GE HA does not require                                 to acce ss its netw ork from a remote\n   location . Employees are required to use their                                    to remotely\n\n\n                                                   9\n\n\x0c   authenticate to GEHA \' s network.                                consist of a\n   _ _ _ _IS to implement                                            in the future by requiring the\n\n\n   NIST SP 800-53 Revision 3 states that information systems should use multifactor\n   authentication for local and netw ork access to privileged and non-privileged accoun ts.\n\n   Failure to implement adequate authentication controls increases the risk that unauthorized\n   individuals can gain acce ss to sensitive resources and confidential data.\n\n   Recommendation 7\n\n   We recommend that GEHA implement\n\n\n   GEHA Respouse:\n\n\n\n   _to \'s .\n   "GEHA ha s taken steps to purchase and implement\n\n   remote access users. Remote web access to GEHA resources orces\n\n                    GEHA          euviroumeut using                and\n   ~ is project has been completedlor all users with remote access."\n\n   DIG Reply:\n   As part of the audi~roces s , we reco mmend that GEHA\n   evidence when the _ i m p lementation is complete and                                         IS\n   required for all remote acce ss users.\n\n6. Segregation of Duties\n   GEHA does not enforce proper segregation of duti es on its major applications. Currently,\n   only one major application is monitored for proper segregation of duties. Furthermore , the\n   process for monitoring segregation of duties is not documented .\n\n   FISCAM states that "Work responsibilities should be segregated so that one individual does\n   not control critical stages of a process." FISCAM also states that "Management should have\n   analyzed operations and identified incompatible duties that are then segregated through\n   policies and organizational divisions."\n\n   Failure to implement adequate proper segregation of dut ies increases the risk that erroneo us\n   or fraudulent transactions could be processed, that imp roper program changes could be\n   impl emented , or that computer resources could be damaged or destroyed .\n\n   Recommendation 8\n   We recommend that GEHA document a process for ensuring application access is granted\n   with proper segregation of dutie s and implement the process for all major applications.\n\n\n\n\n                                                10\n\n\x0c   GEHA Response:\n   \xe2\x80\x9cGEHA has taken steps to identify duties within the claims processing area and has\n   defined those activities that present a potential violation of the segregation of duties.\n                access has been reviewed and conflicting access removed. Other applications\n   have initially been configured to reduce conflicts, but currently need to be reviewed and\n   any conflicts removed. Expected completion of this activity is by the end of the fourth\n   quarter of 2012.\n\n   GEHA\xe2\x80\x99s Internal Audit Department performs an annual audit of access rights on major\n   applications for employees who have terminated or transferred positions.\xe2\x80\x9d\n\n7. Logical Access Privileges Approval and Review\n   GEHA does not routinely recertify that employee application access is appropriate for all\n   major applications. Currently, only one application is subject to a full access recertification\n   review by the system owners. GEHA\xe2\x80\x99s Internal Audit Group does perform periodic\n   application access reviews, but the review includes only a small sample of employees.\n\n   FISCAM states that \xe2\x80\x9cThe computer resource owner should identify the specific user or class\n   of users that are authorized to obtain direct access to each resource for which they are\n   responsible . . . . The owner should identify the nature and extent of access to each resource\n   that is available to each user. [This includes the following types of access: read, update,\n   delete, merge, and execute] Access may be permitted at the file, record, or field level. . . .\n   Owners should periodically review access authorization listings and determine whether they\n   remain appropriate. Access authorizations should be documented on standard forms and\n   maintained on file.\xe2\x80\x9d\n\n   Failure to routinely recertify the appropriateness of application access could allow employees\n   to perform functions or access sensitive information that they should not have approval to\n   access.\n\n   Recommendation 9\n   We recommend that GEHA expand the access recertification process to all major\n\n   applications. \n\n\n   GEHA Response:\n   \xe2\x80\x9cThe GEHA Security Operations team is in the process of working with managers to\n   develop role based access templates for                  and major applications. During\n   the process we are aligning current access of individuals to templates created for the role\n   or job title they hold. Managers are reviewing access changes to align with templates\n   created. Going forward the Security Operations team will use this application reports and\n   templates to verify with management the access of all employees at least annually.\xe2\x80\x9d\n\n\n\n\n                                                11 \n\n\x0c8. Application Access Monitoring\n   GEHA does not adequately monitor user acce ss to its applications. Weekly access violation\n   report s are emailed to management, but the reports are not reviewed. GEHA is in the process\n   of creating an Information Security Group that will take over security monit oring\n   responsibilities for the entire compan y, including the review of access violation reports.\n   Furthermore, GEHA does not monitor user activity within the claims pro cessing application.\n\n   FISCAM states that "Audit and monitoring involves the regu lar collect ion, review, and\n   analysis of indications of inappropriate or unauthorized access to the application."\n   Management should monitor acce ss within the application (i.e., unauthorized access\n   attempts, unusual activity, etc.).\n\n   Failure to monitor act ivity logs an d violation reports could allow attempts to gain\n   unauthorized access to sensitive computer resource s to continue unn oticed.\n\n   Recommendation 10\n   \\Ve recommend that GEHA implement a pro cess to log and review user access to and\n   activity within its applications.\n\n   GENA Respouse:\n    "The Securitv 0 erations team has develo\n\n   reports.\n\n   for              s and other applications are not available at this time.       reports are\n   reviewed, nsers are contacted to respond to violations, and notations are made\n   electronically on the report pdffile. The file is stored along with related correspondence.\n    This process is currently implemented. "\n\n   DIG ReplY:\n   The intent of this recommendation was not to simply monitor log-on violations at the .\n   _ b u t also to audit user transactions within the claims processing system. As part ofthe\n   audit resolution process, we recommend that GEHA provide OPM \' s HID w ith evidence of a\n   solution to monitor the claims processing system\'s user activity.\n\n9. Claims Processing System Password l\\Iodification\n   GEHA uses a                                        when creating all new _            user\n   accounts or resetting the password of existing acco unts. While GEHA requires that the\n   temporary password be changed after the first login attempt, this is not a sufficient\n   compensating control. The process for establishing and changing password s for the claims\n   processing system is less secure than other major applications at GEHA. For other\n   applications, an email is automatically sent to the user with a randomly generated temporary\n   password that they use to establish new acco unts or unlock existing ones.\n\n   NIST SP 800-118 (draft) states that "Randomly generated or arbitrarily chosen [one time\n   passwords], not default or patterned passwords (e.g., "NIST0722"), should be used during\n\n\n\n                                                12\n\n\x0c     account creation and pa ssword reset processes. Thi s ensure s that if the user does not\n     promptly chang e the assigned password , that the password will not be easily gue ssable."\n\n     Failure to use randoml y generated temporary passwords increa ses the risk that a person could\n     gain un authorized access to the claims processing system by exploiting the default password .\n\n     Recommendation 11\n     We recommend that GEHA program the new claim s processing system to use randomly\n     genera ted temp orary passwords for users who need to establish new accounts and users who\n     lock themselves out of the system. The passwords should be automa tically ema iled to the\n     user requesting access.\n\n     GENA Respouse:\n      "The S ecurity Operation s team will review current practices for creating_ IDs\n\n\n                                            where users will automatically authenticate\n                as they activate the application client.\n                                                                                         to.\n     and modify that process as necessary adding step s to require interaction with the Help\n     Desk before a user id is activated or first use. The new claims system uses authentication\n     based on\n                                                                          pas sword management\n     will be reviewed and changes made as necessary to randomize initial pas swords. A\n     password self-s ervice tool will be investigated to see i/they provide a more secure method\n     for changing initial or forgotten pa sswords. Changes to processes will be completed by the\n     fourth quarter of2012."\n\nC. Configuration    ~\'1anagement\n\n  _           is housed in a\n  control managed by\n  su 0I1in the cla ims adiudication process are housed in a                          with the\n                                     We evaluated GEHA \' s management 0 t us system software\n  and have serious concerns regarding its overall configuration management program.\n\n  The sections below docum ent areas for improvem ent re lated to GE HA \'s configuration\n  management controls. We believe that the severity of the weakne sses re lated to configuration\n  management represents a significant deficiency in GEHA \' s ability to securely process FEHBP\n  data in its IT environment.\n\n  1. Baseline Configur ations\n     GE HA has not docum ent ed a secure baseline configuration for its servers or main frame.\n     New system software is currently configured using employees \' collec tive knowledge of be st\n     practices. However, no standard configura tion doc umentation has been crea ted for any\n     system software used by the organization. In December 20 11, GE HA created a Baseline\n     Serve r Configuration and Maintenance Plan that detail s the new process for crea ting\n     configu ration baselin es for three serv er operating systems. TIle actua l baselin e documents\n     are scheduled for complet ion in 20 12.\n\n\n\n\n                                                  13\n\n\x0c   FISCAM states that "The entity should maintain current configuration information in a\n   forma l configura tion baseline that contains the configuration information fonnally designated\n   at a specific time durin g a product\' s or produ ct component\' s life. Configuration baselines,\n   plus approved changes from those baselines, constitute the current configura tion information .\n   There should be a CIUTent and comprehensive baseline inventory of hardware, software, and\n   firmware, and it should be routinely validated for accurac y."\n\n   Failure to create baseline configurations increases the likelihood that newly implemented or\n   modified hardware, software, and firmware will not be securely configure d.\n\n   Recommendation 12\n   We recomm end that GEHA forma lly document baseline configura tions for its hardware,\n   software, and firmware.\n\n   GEHA Respouse:\n   "GEHA is addressing secure baseline configuration in a three-phase approa ch. Ea ch\n   phase will document the system function, inventory, configuration s and securi \' hardening\n   re uirements. For the initial lmse; GEHA is ocu siu on\n\n\n\n\n2. Monitoring System Administrator Activity\n   GEHA \'s management does not monitor system administrator activity. GE HA currently\n   emPloysi lO! W administrators that have the authority to control security for the entire\n   system.         has a reporting capability that docum ents any changes that the administrators\n   make to t e system . However, these reports are not currently reviewed.\n\n   NIST SP 800-53 Revision 3 requires that "The organization ... Tracks and monitors\n   privileged role assignments.   Privileged roles include, for example, key management,\n   network and system administration, database adm inistration, [and] web administration."\n\n   Failure to docum ent and track system administrator activity could allow unint ended or\n   malicious events to go undet ected and increase system vulnerability.\n\n   Recommendation 13\n   We recommend that GEHA implement a process to routinely monitor system administrator\n   activity.\n\n\n\n\n                                               14\n\n\x0c   GEHA Response:\n   \xe2\x80\x9cThe Security Operations team has developed a daily process to review\n   administrator activity reports. The          reports are reviewed, users are contacted to\n   respond to questionable activities, and notations are made electronically on the report pdf\n   file. The file is stored along with related correspondence. The new claims processing\n   system will require different tools to track administrative access because access will\n   primarily be controlled through                      It may be possible to track\n   administrative access within the new application but that is unknown at this time. A tool is\n   being investigated that will track user data view and that tool may provide additional\n   visibility within the new claims application.         administrator activity monitoring is\n   currently implemented.\xe2\x80\x9d\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that GEHA provide OPM\xe2\x80\x99s HIO with\n   samples of the reports generated to monitor        administrator activity as well as evidence\n   of the review to routinely monitor system administrator activity.\n\n3. Configuration Auditing\n   GEHA performs configuration audits of its              servers. However, they do not\n   adequately use the results of the audits to enhance system security. The results of the audits\n   revealed numerous configuration settings that were below industry standards. To confirm\n   these results, we used an automated tool to conduct a compliance audit on over 150\n   production servers to determine if configuration settings were in compliance with HIPAA\n   and industry standards. The results of the scan revealed major compliance issues in each\n   server (the results of the scan were provided to GEHA but will not be detailed in this report\n   due to the sensitive nature of the information).\n\n   FISCAM states \xe2\x80\x9cCurrent configuration information should be routinely monitored for\n   accuracy. Monitoring should address the current baseline and operational configuration of the\n   hardware, software, and firmware that comprise the information system. . . . Monitoring,\n   sometimes called configuration audits, should be periodically conducted to determine the\n   extent to which the actual configuration item reflects the required physical and functional\n   characteristics originally specified by requirements.\xe2\x80\x9d\n\n   Failure to analyze the results of configuration audits and appropriately adjust software\n\n   settings increases the risk of improper and less secure system software configuration.\n\n\n   Recommendation 14\n   We recommend that GEHA address the issues detected by the compliance audit and routinely\n   monitor system software configuration to ensure compliance with established baselines.\n\n   GEHA Response:\n   \xe2\x80\x9cThe recent purchase of a security vulnerability scanning tool by the Security Operations\n   team gives us the ability to scan configuration settings of individual         servers once\n\n\n                                               15 \n\n\x0c   authenticated to the server. Security Operations will work with the Enterprise Architecture\n   to assure that appropriate settings are routinely scanned and addressed. This\n   recommendation should be completed by the end ofthe fourth quarter of2012."\n\n4. Vulnerability Scanning and\n   GEHA does not perform routine vulnerability scanning of its computer servers. We used an\n   automated tool to conduct a vulnerability scan of GEHA \'s server environment to determ ine if\n   its servers were ro erl secured . We discovered num erous weaknesses related to _\n                                                                  (the results of the scan were\n   provided to GEHA but w ill not be deta~ue to the sensitive nature of the\n   information). GEHA has doclilllente d _ procedur es, but they are not being\n   enforced.\n\n   \\Ve used another automate d tool to conduct\n   scans on GEHA \'s\n   product any negative results. The                                    was term inated prematurel y\n   because it caused a disruption to GEHA\' s production environment. However, the limited\n   results that were return ed from this scan indicated that the                   may be vulnerable\n   to                                                          s t e resu ts 0 t ie scan were\n   provided to GEHA but w ill not be detailed in this report due to the sensitive nature of the\n   information). We believe that the extent of the securit wea knesses could be better eva luated\n   by a third party company that specializes in\n\n   FISCAM states that "Software should be scanned and updated frequ ently to gua rd against\n   kn own vulnerabilities." NIST SP 800-53 Revision 3 states "TIle organization (including any\n   contractor to the organization) promptly installs security-relevant software updates (e.g.,\n   patches, service packs, and hot fixes). Flaws discovered during security assessments,\n   continuous monitorin g, incident response activities, or information system error handling, are\n   also addressed expeditiously."\n\n   Failure to promptly insta l l _ increases the risk that vulnerabilities will not be\n   remediated and llllau~a in access to the system. Furthermore, the\n   weakness within the _                   could be compromised, allow ing unauthorized\n   users acce ss to PII.\n\n   Recommendation 15\n   We recommend that GEHA implement a process to conduct routine vulnerability scans and\n   track any identified weaknesses until they are remediated.\n\n   GENA Respome:\n   "A product to scan system s for vulnerabilities has recently been purchased and a project\n   has been created to develop pro cesses for scanning, uotiflcation offindings, risk\n   assessment, remediation, and review. The project will focus Oil redu cing the risk to the\n   organization by implementing a routine vulnerability monitoring and remediation\n\n\n\n                                                16\n\n\x0cprogram. This recommendation should be completed by the end ofthe fourth quarter of\n2012. "\n\nRecommendation 16\nWe recommend that GEHA install the                                  that were identified in the\nscan result s and. in the future , improve the patch management process to ensure that _\n_       are installed promptly.\n\nGEHA Respouse:\n\n                        to identify\n                                        ortance develo in and implementing\n                                                  0                                 a.\n                                                               s, determine applicability to\nGEHA systems, and distribute and implement on GEHA system s to prevent and minimize\nthe risk ofsecurity breaches and losses. GEHA is iuitiatin a ormal\nprogram to mitigate the risk presented by the\nprogram will be a combination oftechnology in the form 0                        and\ndeployment software and processes to identify, test and deploy software updates following a\nrisk-based management approach. . . . "\n\nRecommendation 17\nWe recommend that GEHA contract with a third party vendor that specializes in       II\n         vu jnerabili assessments to conduct a thoroug h _ vu lnerability assessment\nof its\n\nGEHA Respouse:\n                                                        ill two dijJe::f.:::l:..!:.!:1!/2012,\n                                      to conduct a comprehensil\' e _\n                                              . The sco eo the assessment included our\n                                                                    . Our IT and S ecurity\n                                issues noted in that assessment. In addition, GEHA is\ncurrently redesigning our                 and Security team s are involved ill tho se\ndiscussions to ensure that an)\' open vulnerabilities or concerns are addressed in the new\ndesign.\n\n~ we                  are addressing this issue is the purchase and implementation of\n_ . Our Information Security Analysts have installed this solution and are\ncurrently conducting configuring and testing. This tool will be used on a continuous basis\nto assist security in identifying vulnerabilities affecting our infrastructure and will assist ill\nthe risk ranking ofthose vulnerabilities to drive remediation priorities. The solution will\nhave the ability to not only alert securit . sta to vulnerabilities fac~.\nbut also vulnerabilities on our                   . We expect to hal\'e~d\nin our production environment and identifying vulnerabilities by Q3 of 2012.\n\nWe feel that it is important and we plan to continue engag;,r~arty to conduct an\nindependent assessment, however due to the addition ofo u r _ tool and\n\n\n\n                                              17\n\n\x0c     vuln erability managem ent pro cesses, we will be reducing the frequency of tttose from\n     annually to perhap s every\' other year,"\n\n     DIG Reply:\n     As part of the audit re s oluti~ , we recommend that GEHA provide OPM \'s HIO with\n     the followin g evidence: the _vulnerability assessment and penetration test results,\n     evidence of the trackin g and remediation of weaknesses, evidence of the imple mentation of\n                        and the functionality of the tool.\n\n  5. Up dating System Softwar e\n     GEHA is currently running a version of                                          , that is\n     not supported by the vendor. GEHA has begu n the process of upgrading to a supported\n     operating system, but the upgrade is not complete.\n\n     FISCAM states that "Software should be scanned and updated frequently to guard against\n     known vulnerabilities. In addition to periodically looking for software vulnerabilities and\n     fixing them, security software should be kept current by establishing effec tive programs for\n     patch mana gement, viru s protection, and other emer ging threats. A lso, software releases\n     should be adequately contr olled to prevent the use of noncurrent software.... Procedures\n     should ensure that only current software releases are installed in information systems.\n     Noncurrent software may be vulnerable to malicious code such as viruses and worm s."\n\n     Fail ure to use all operating system that is supported by the vendor increases the risk that the\n     operating system contains vulnerabilities that cann ot be fixed or patched.\n\n     Re commendation 18\n     We recomm end that GEHA continue its efforts to upgrade the _                opera ting system\n     to a vendor-supported version.\n\n     GEHA R espous e:\n     "GEHA is continuing the efforts to update the .lie operating systems to vendor\n     supported versions. We are working through the         and custom-developed application\n     dependencies which require update before th e             e operatin systems can be\n     updated. GEHA has also had to pro cure and implement a new                  storage\n     subsystem to allow for the increased cap acity needs for the testing environments for\n     process and inter-operability testing. "\n\nD. Contingency Planning\n  We reviewed GEHA \' s serv ice continuity program to detennine whether controls were in place to\n  prevent or minimize damage and interruptions to business operations when disastrous events\n  occur.\n\n\n\n\n                                                   18\n\n\x0cWe evaluated GEHA \' s contingency plann ing documentation to determine whether it outlined\nprocedure s for maintaining critical services for its members should business operations be\ndisrupted. TIle followin g elements of GEHA \' s contingency planning pro gram were reviewed :\n\xe2\x80\xa2\t Business continuity plans for several major business units including claims,\n   telecommunications/customer service. and check printing;\n\xe2\x80\xa2\t Disaster recovery plan for the _          claims processing system;\n\xe2\x80\xa2\t Disaster recovery tests conducted in conjunction with an _     recovery site; and,\n\xe2\x80\xa2\t Emergency response procedure s and training.\n\nWe determined that critical elements suggested by NIST SP 800-34, "Contingency Planning\nGuide for IT Systems," were addressed in the service continuity documentation reviewed .\nGEHA has identified which systems and resources are critical to business operations and how to\nrecover those systems and resources.\n\nGEHA does not perform a complete disaster recovery test for all systems. We were provided\nevidence that GEHA routinely performs a disaster recovery test of the         at the recovery\nsite. However, we learned that there is no routine ~he                          environm ent .\nWh ile the claims processing system resides on the _, the                     ronment\nsupports other critical GEHA applications.\n\nFISCAM states that "Testing contingency plans is essential to determining whether they will\nfunction as intended in an emergency situ ation.        TIle most useful scenarios involve\nsimulating a disaster situation to test overall service continuity."\n\nFailure to perform annual disaster recovery tests on the _ decreases the\nlikelihood that GEHA will be able to completely restore=  of a disaster.\n\nRecommendation 19\n\\Ve recommend that GEHA conduct and doc ument an annual disaster recovery test for the\n\n\n\n\n                                 all_\nGEHA Respouse:\n"GEHA ha s designed and implenltf~                      site co-locatiou facility that will function\nas the disaster recovery site for                        GEHA is currently replicating all\n                    data to the site through the use o / t h e _ d a t a protection platform.\n\nGEHA is scheduled to perform disaster recover)\' testing in Q3 0/2012. We have hired a\nManager 0/ Enterprise Risk that will be responsible/or working with IT to maintain/update\nour BCPIDR plans to reflect the above changes and to assist in coordinating testing exercises.\nThis person is currently assisting on our claims system conversion and will be joining the\nEnterprise Security and Risk Management team in Q3 0/2012. His locus will be Bep/DR and\nother Enterprise Risk . Management initiatives. "\n\n\n\n\n                                                 19\n\n\x0cE. Application Controls\n  Application Configuration Management\n  We evah~lici e s and procedures goveming software development and change control of\n  GEHA \'s _ claim s processin g application.\n\n  GEHA has a series of poli cies and procedures related to application configu ration management.\n  GEHA has adopted a traditional system dev elopment life cycle methodology that IT personnel\n  follow during routine software modifications. The following controls related to testing and\n  approva ls of software modifications were observed:\n  \xe2\x80\xa2\t   GEHA has implemented change trackin g software and correlating business practices that\n       allow modifications to be tracked throughout the change process; and,\n  \xe2\x80\xa2\t   Code, uuit, system , and quality testing are all conducted in accordance with industry\n\n       standards.\n\n\n  Claims Processing System\n  We evaluated the input, processing, and output controls assoc iated with _                In terms of\n  input controls, we documented the policies and procedures adopted by GEHA to help ensure\n  that: 1) there are controls over the inception of claim s data into the system; 2) the data received\n  comes from the appropriate sources; and , 3) the data is entere d into the claims database correctly.\n  We also reviewed GEHA \'s quality assura nce methods for reconciling processing totals aga inst\n  input totals and for evaluating the accurac y of its processes. Finally, we examine d the security of\n  ph ysical input and output (paper claim s, checks, explanation of benefits, etc.).\n\n  GE HA informed us that they are in the initi al devel opment phase of implementing a new claim s\n  processin g system, _     Thi s is scheduled for completion by the end of 20 12.\n\n  Provider Networks Involvement ill Claims Processing\n  GEHA utili zes PPO Contrac tor Networks                        erfonn functions related to claims\n  input and clinical editing. One Network,                                , has responsibilities for\n  input, clini cal edits, and output processes. During the course of our aud it, we toured the facilities\n  responsible for both the input and output of GE HA \'s UH C claims. We determined that there are\n  sufficient processes in pl ace to ensure the effective input of claims data.\n\n  GE HA sends                                    then prints provider checks from a GE HA bank\n  account. However, GEHA and              do not reconcile the quanti ty and do llar amoun t of checks\n  printed to the origina l submiss ion by GE HA.\n\n  Without a reconcili ation of the actua l checks print ed by . to those submitted by GE HA , there\n  is an increased likelihood that improper claim payments will go un detected.\n\n  Recommendation 20\n  We recommend that GEHA , in collaboration with .            develop a process to reconcile printed\n  checks.\n\n\n\n                                                    20\n\n\x0cGEHA Response:\n\xe2\x80\x9cWe have initiated a project with our Project Management Department and have assembled a\nteam to address this recommendation. We plan to coordinate with        and have a\nreconciliation process implemented once we have identified and created the necessary internal\nreporting.\xe2\x80\x9d\n\nEnrollment\nWe evaluated GEHA\xe2\x80\x99s procedures for managing its database of member enrollment data. GEHA\nreceives its enrollment data via fax, mail, and electronic update files. The majority of enrollment\ninformation is received electronically (about 70%) and is inputted into the database\nautomatically. Enrollment information is otherwise inputted manually into the database.\nInformation that is manually entered into the system is audited by enrollment specialists. Daily\nerror reports are generated for managers to view as a part of the employee performance\nevaluation as well as used during the audit process by the enrollment specialists.\n\nGEHA receives an e-mail attachment containing the quantity and type of enrollment file\ntransmissions; however, at the time of the audit GEHA did not have a process to reconcile what\nis sent and what is actually received. As a result of our audit GEHA stated that it will begin a\nreconciliation process using the e-mail attachment and the files received.\n\nThere were no further concerns regarding GEHA\xe2\x80\x99s enrollment policies, process and procedures.\n\nDebarment\nGEHA has adequate procedures for updating its claim system with debarred provider\ninformation, but it does not routinely audit its debarment database for accuracy.\n\nGEHA downloads the OPM OIG debarment list every month and compares it to its provider\nmaintenance file. Any debarred providers that appear in GEHA\xe2\x80\x99s provider master database are\nflagged to prevent claims submitted by that provider from being processed by the claims\nprocessing system.\n\nHowever, this process is done manually, and GEHA does not do a full reconciliation of the\ndebarment list with its provider master database.\n\nFailure to audit the accuracy of the debarment file increases the risk that claims are being paid to\nproviders that are debarred.\n\nRecommendation 21\nWe recommend that GEHA implement an audit process for the full debarment file.\n\nGEHA Response:\n\xe2\x80\x9cGEHA does currently perform a monthly 3% audit on our full debarment file. However,\nbased on the recommendation of OPM, we have increased the audit to 100% of the full\ndebarment file effective April 15, 2012.\xe2\x80\x9d\n\n\n\n                                                 21 \n\n\x0cOIG Reply:\nAs part of the audit resolution process, we recommend that GEHA provide OPM\xe2\x80\x99s HIO with\nevidence of the monthly audit of the debarment file for a period of three months.\n\nApplication Controls Testing\nTo validate claims processing controls, a testing exercise was conducted on the GEHA\n             system. This test was conducted at GEHA\xe2\x80\x99s Independence, Missouri facility with\nthe assistance of GEHA personnel. The exercise involved processing claims designed with\ninherent flaws in the test environment of the claims adjudication application. Upon conclusion\nof the testing exercise, the expected results were compared with the actual results obtained\nduring the exercise.\n\nThe sections below document the opportunities for improvement that were noted related to\napplication controls. GEHA intends to replace            with a new claims processing system\ncalled         The recommendations contained within this section are directed toward this new\nsystem.\n\n1. Clinical Edits\n   We submitted a hospital claim for a male with a diagnosis of postmenopausal bleeding and a\n   procedure code for a total abdominal hysterectomy. This claim was processed and paid\n   without encountering any system edits, despite the fact that this procedure could not be\n   performed on a male. We were informed by GEHA that                     does not have any\n   clinical edits in place for hospital claims. This was a prior recommendation in 2005.\n\n   This system weakness increases the risk that benefits are being paid for procedures\n   associated with a diagnosis that may not warrant such treatment.\n\n   Recommendation 22\n   We recommend that GEHA ensure that comprehensive medical edits are incorporated into\n   the development of the new    claims processing system.\n\n   GEHA Response:\n   \xe2\x80\x9cOur review of the          System and the new clinical editor has shown that\n   does not currently have edits for inpatient hospital claims. This specific claim example\n   would not be captured in any of the edits. We will investigate the system capabilities of\n   creating the configuration to assist in up front identification of these claims. There are\n              edits for outpatient hospital claims.\n\n   For the professional claim example, we have test cases developed to review diagnosis to\n   procedure code edits. The system can then be coded to pend, deny, or use a warning\n   message.\n\n\n\n\n                                               22 \n\n\x0c   We have not received the latest version of           to test at this time. We will add these\n   examples to our requirements and set up specific test cases to test capabilities to ensure\n   accurate processing . . . .\xe2\x80\x9d\n\n   OIG Reply:\n   The lack of clinical edits in GEHA\xe2\x80\x99s claims processing system extends back to a prior OPM\n   OIG audit from 2005. Clinical edits are a necessary element of implementing a new claims\n   processing system. We continue to recommend that GEHA make the appropriate system\n   modifications to ensure clinical edits are implemented for both professional and facility\n   claims. As part of the audit resolution process, we recommend that GEHA provide OPM\xe2\x80\x99s\n   HIO with appropriate supporting documentation indicating its progress in successfully\n   implementing these modifications.\n\n2. Therapy Visit Counter\n   Procedure codes for therapy visits indicate a specific length of time of the services provided.\n   The benefit structure only allows 2 hours per visit in addition to limiting the number of visits\n   per year to 60. GEHA is not appropriately calculating the length of time per visit.\n\n   The OIG submitted a series of claims to test                 ability to limit physical and\n   occupational therapy visits to 60 per calendar year. While the system is configured to stop\n   paying claims after 60 visits, we submitted a visit for 2.25 hours, and it was counted as 1 visit\n   rather than two.\n\n   This system weakness increases the risk that providers are paid for rendering non-covered\n   services.\n\n   Recommendation 23\n   We recommend that GEHA ensure that the appropriate system modifications be incorporated\n   into the      claims processing system to ensure that therapy benefits are limited in\n   accordance with the plan brochure.\n\n   GEHA Response:\n   \xe2\x80\x9cGEHA agrees with the recommendation to ensure this is addressed in the conversion to\n           However, between now and the time of conversion to         we have implemented\n   interim procedures in the Claims Department to adjudicate claims correcting the\n   calculation of time per visit.\xe2\x80\x9d\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that GEHA provide OPM\xe2\x80\x99s HIO with\n   supporting documentation for the interim process showing that therapy claims are\n   automatically detected for manual review/calculation. Furthermore, we recommend GEHA\n   provide evidence of the implementation of these edits in place in the     claims\n   processing system.\n\n\n\n\n                                                23 \n\n\x0c3. Overlapping Hospital St ays\n   The _ system paid duplicate room and board charges on test claims for a member\n   with two overlapping hospital stays.\n\n   The system does not have edits in place to prevent both room and board and intensive care\n   charges for the same time period . We submitted a claim for an intensive care room and a\n   subsequent claim for a semi-private room at the same facility on the same day. We were\n   informed by GEHA representatives tha t _ only looks at the revenue code for\n   duplicate billing. As long as different re~s are used, the system will never detect\n   multiple claims containing overlapping dates of service for hospital stays.\n\n   This system weakness increases the risk that hospitals are being paid for duplicate room and\n   board expenses.\n\n   Recommendation 24\n   We recomm end that GEHA ensure that the appropriate system configur ations are made to\n   _     to prevent duplicate payments for claims with overlapp ing dates of service.\n\n\n\n\n            in.\n   GEH4 Respome:\n\n   "GEHA agrees with th e recommendation and will explore the system configuration\n   available        to ensure accurate claim pro cessing. "\n\n4. OBRA 90 PRICER\n   GEHA is pricing OBRA90 claims with outdated versions of the\n\n   program.\n\n\n   We entered several test claims subject to OBRA90 pricing into the _ system . The\n   system suspended all of the claims for OBRA90 pricing (also referred to as diagnosis-related\n     ou or DRG ricin . and the GEHA claims adjudicator priced each claim using the .\n\n\n   We also independently priced each claim using the most recent versions of the _\n   progra ms, and compared the Medicare DRG amount produced to that calculated by the\n   GEHA adjudicator. All of the test claims rocessed by GEHA were priced accurately,\n   however we received screenprints of the          from GEHA which indicated GEHA was\n   not using the most current version of the\n\n   ~omp tly provide claims adjudicators with updated versions of the _\n   _ program increases the risk that GEHA is pricing OBRA90 cla im~\n\n   Recommendation 25\n   We recomm end that GEHA im lement rocedures to ensure that OBRA90 claims are priced\n   with the correct version of the\n\n\n\n                                              24\n\x0c     GEHA Response:\n     \xe2\x80\x9cGEHA agrees with the recommendation and is taking steps to ensure that the adjusters\n     have access to the most current version of the OBRA 90 Pricer before claims processing.\n     This will include working more closely with the IT area to ensure timely loading of the\n     current version, while considering whether claims may need to be held in the interim to\n     prevent claim payment issues.\xe2\x80\x9d\n\n  5.\t Manual Processing of Claims\n     A significant portion of claims processed by GEHA are processed manually, including all\n     hospital, anesthesiology, and renal failure claims.\n\n     The amount of manual effort required by adjudicators to process claims greatly increases the\n     risk that these claims are processed incorrectly.\n\n     Recommendation 26\n     We recommend that GEHA ensure that the appropriate system configurations are made to\n            to ensure that a reduced manual effort is required by claims adjudicators to process\n     claims.\n\n     GEHA Response:\n     \xe2\x80\x9cGEHA is exploring every opportunity to reduce manual processes. Conversion to the\n            system will facilitate our goals in this area. While our conversion to      is still in\n     the \xe2\x80\x98build\xe2\x80\x99 phase, we have already identified several areas of opportunity where reduced\n     manual effort will be realized . . . . \xe2\x80\x9d\n\nF. Health Insurance Portability and Accountability Act\n  The OIG reviewed GEHA\xe2\x80\x99s efforts to maintain compliance with the security and privacy\n\n  standards of HIPAA. \n\n\n  GEHA has implemented a series of IT security policies and procedures to adequately address the\n  requirements of the HIPAA security rule. GEHA has also developed a series of privacy policies\n  and procedures that directly addresses all requirements of the HIPAA privacy rule. The plan has\n  a designated Privacy Official who has the responsibility of ensuring compliance with HIPAA\n  Privacy and GEHA\xe2\x80\x99s HIPAA Privacy policies. GEHA employees receive HIPAA-related\n  training during new hire orientation, as well as annual refresher training.\n\n  Nothing came to our attention that caused us to believe that GEHA is not in compliance with the\n  various requirements of HIPAA regulations.\n\n\n\n\n                                                 25 \n\n\x0c                     III. Major Contributors to This Report\n\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Information Systems Audits Group. The following individuals participated in the audit\nand the preparation of this report:\n\xe2\x80\xa2                     , Group Chief\n\xe2\x80\xa2                        , Senior Team Leader\n\xe2\x80\xa2                 , Auditor In Charge\n\xe2\x80\xa2                   , IT Auditor\n\xe2\x80\xa2                 , IT Auditor\n\n\n\n\n                                              26 \n\n\x0c                                       Appendix\n                                                                                             I\n\n                           The Benefit s of Better Health\n                                                                                             I\nMa y 10, 2012\n\n\n\n\n-\nAuditor in Charge\nI nformat ion Systems Audite; Group Office of the Inspector General\n1900 E St reet, NW Room 6400\nWa shington, DC 20415-1100\n\n\n\n\nWe have completed our review o f th e report for th e Aud it of info rmatio n Systems\nGen eral and Application Cont rols at Govern ment Employees Health Associat ion (GEHA)\ndated Ma rch 14, 2012. The foll owing are our responses for each recommendation th at\nwas presented in the report.\n\n\nRecommendati on 1\nWe recommend GEHA develop a rule s of behavior agreement and requ ire all employees\nto sign the document.\n\nGEHA Response\nGEHA h as an extensive or ient ation process where new hires are t rained o n various\npolicies and procedures and are requi red to sign Acknowledgemen t of Responsibility\nforms. These acknowledgements encompa ss what one rules of behavior document\nwould address.\n\n   1.\t Acknowledgement of GEHA Code of Ethics.\n            a.\t Confidentiality Agreement which is requ ir ed upon hire and ann uall y\n                t hereaft er. The Confident iality agreement ensures the employee t o keep\n                GEHA proprietary and healt h informat ion confidential and to repo rt any\n                accidental or inte nt iona l disclosure .\n            b.\t HR pol icy 5-05 -Code o f Eth ics w hich Includes a section on\n                \'compromising com puter security\'\n   2.\t Acknowledgement o f Responsibility for HIPAA confi dent iality of patient\n       inform at ion. This is required upon hire and t he reafter when additional training\n       is given .\n            a.\t HIPAA Polley 210 - Confident iality and Security of Patient Information\xc2\xad\n                Employee Breach and Disciplinary Action .\n            b.\t HIPM PolicY 215 - Breach Reporting, lnvestigat ion and Notification\n                Requ ireme nt s.\n   3.\t Acknowledgem ent of GEHA Information Protectio n Policy.\n\n                     Government Empl oyees Health Aaao c!atlon, Inc.\n         P.O. Box 4665 \xe2\x80\xa2 Independence. MO 64051-4665 . Telephone (800) 821-6136\n                                     www .gcha.com\n\x0c           a.\t HR Policy 5-35 \xe2\x80\x93 Information Protection. This policy covers all information in any\n               form and from any system.\n           b.\t HIPAA Policy 840 \xe2\x80\x93 Internet and Software Acceptable Use Policy\n\n\nRecommendation 2\nWe recommend that GEHA reassess its facilities\xe2\x80\x99 physical access management and implement\ncontrols that will ensure proper physical security. At a minimum, GEHA should implement\n\n                                                                t data center entrances.\n\nGEHA Response\nGEHA is currently reassessing facilities access at all of our locations and adding the following\ncontrols to increase physical security.\n\n\n\n\n   2)\t Data Center \xe2\x80\x93 Multi-Factor Authentication at Entrance (COMPLETED) - Access to\n       GEHA\xe2\x80\x99s data center at our 310 building requires both an access badge as well as the\n       code to a cipher lock built into the door. The addition of the cipher lock was completed\n       in September of 2011.\n\n   3)\n\n\n\n\n   4)\n\n\n\n\n\n                                                 2\n\x0c   5)\n\n\n\n\n\nRecommendation 3\nWe recommend that GEHA implement physical controls to prevent employees that only require\naccess to the\n\nGEHA Response\nGEHA continues to keep this area locked during non-business hours and corrected this concern\nin October 2011 by installing a latching system on the inside of the storage area that prevents\nunsupervised access.\n\n\nRecommendation 4\nWe recommend that GEHA implement a process to monitor and track access to claim files (in\nthe mail sort room).\n\nGEHA Response\nThe area where the claims are kept is separated from the                              by a locked\ndoor. Access to this area is restricted to a limited number of claims clerical staff. There are no\nsign out procedures because claims leave this area only to be copied and immediately returned\nto the locked room.\n\n\nRecommendation 5\nWe recommend GEHA conduct a detailed access review audit of                  user accounts to\nidentify accounts with inappropriate access.\n\nGEHA Response\nGEHA Security Operations has taken multiple steps to better control             access. We\nhave reviewed access for users with administrative access and have removed access that was\ninappropriate or no longer needed. To better establish and control access, we have developed a\nseries of user templates that determine access by position. In doing so we have consulted with\nmanagers to verify access and remove any unneeded access. We have developed reporting\n\n                                                3\n\x0cfrom our payroll department that will allow us to better track users as they move within the\norganization or terminate. We have reviewed all previously terminated users to assure that all\naccess has been removed. For auditing purposes it is necessary to leave IDs for terminated\nemployees in place, however, all access to the ID is removed, the account is locked, and the\nassociated       user id is removed. This activity has been completed.\n\n\nRecommendation 6\nWe recommend that GEHA configure its intrusion detection tools to optimize their capabilities.\n\nGEHA Response\nGEHA uses a            firewall that includes intrusion detection capabilities. The intrusion\ndetection capabilities were recently activated and are being monitored to determine\neffectiveness in detecting known attacks.              are updated regularly to assure that\ndetection capabilities are current. The Security Operations team will assist the Enterprise\nArchitecture team in fine-tuning the detection capabilities as monitoring reveals changes that\ncan be made to improve the system\'s response.\n\n\n\nRecommendation 7\nWe recommend that GEHA implement                                   for remote access.\n\nGEHA Response\nGEHA has taken steps to purchase and implement                                       for remote\naccess users. Remote web access to GEHA resources forces                                to\nGEHA\'s        environment using                                                  . This project\nhas been completed for all users with remote access.\n\n\nRecommendation 8\nWe recommend that GEHA document a process for ensuring application access is granted with\nproper segregation of duties and implement the process for all major applications.\n\nResponse\nGEHA has taken steps to identify duties within the claims processing area and has defined those\nactivities that present a potential violation of the segregation of duties.        access has\nbeen reviewed and conflicting access removed. Other applications have initially been\nconfigured to reduce conflicts, but currently need to be reviewed and any conflicts removed.\nExpected completion of this activity is by the end of the fourth quarter of 2012.\n\nGEHA\xe2\x80\x99s Internal Audit Department performs an annual audit of access rights on major\napplications for employees who have terminated or transferred positions.\n\n\n                                               4\n\x0cRecommendation 9\nWe recommend that GEHA expand the access recertification process to all major applications.\n\nResponse\nThe GEHA Security Operations team is in the process of working with managers to develop\n                                             and major applications. During the process we are\naligning current access of individuals to templates created for the role or job title they hold.\nManagers are reviewing access changes to align with templates created. Going forward the\nSecurity Operations team will use this application reports and templates to verify with\nmanagement the access of all employees at least annually.\n\nRecommendation 10\nWe recommend that GEHA implement a process to log and review user activity within its\napplications.\n\nResponse\nThe Security Operations team has developed a daily process to review           violation reports.\n                                                              . Violation reports for\nand other applications are not available at this time.      reports are reviewed, users are\ncontacted to respond to violations, and notations are made electronically on the report pdf file.\nThe file is stored along with related correspondence. This process is currently implemented.\n\n\nRecommendation 11\nWe recommend that GEHA program the new claims processing system to use randomly\ngenerated temporary passwords for users who need to establish new accounts and users who\nlock themselves out of the system. The passwords should be automatically emailed to the user\nrequesting access.\n\nResponse\nThe Security Operations team will review current practices for creating             IDs and\nmodify the process as necessary adding steps to require interaction with the Help Desk before a\nuser id is activated for first use. The new claims system uses authentication based on\n                  where users will automatically authenticate to                  as they activate\nthe application client.                   password management will be reviewed and changes\nmade as necessary to randomize initial passwords. A password self-service tool will be\ninvestigated to see if they provide a more secure method for changing initial or forgotten\npasswords. Changes to processes will be completed by the fourth quarter of 2012.\n\n\nRecommendation 12\nWe recommend that GEHA formally document baseline configurations for its hardware,\nsoftware, and firmware.\n\n\n                                                5\n\x0cResponse\nGEHA is addressing secure baseline configuration in a three-phase approach. Each phase will\ndocument the system function, inventory, configurations and security hardening requirements.\nFor the initial phase, GEHA is focusing on\n                                                                                                 .\nThe second phase will extend into higher levels of the architecture including but not limited to\n                                                         . The final phase will be a granular view\nof the business applications that utilize the architecture detailed in the first two phases such as\n\n\n\nRecommendation 13\nWe recommend that GEHA implement a process to routinely monitor system administrator\nactivity.\n\nResponse\nThe Security Operations team has developed a daily process to review            administrator\nactivity reports. The       reports are reviewed, users are contacted to respond to questionable\nactivities, and notations are made electronically on the report pdf file. The file is stored along\nwith related correspondence. The new claims processing system will require different tools to\ntrack administrative access because access will primarily be controlled through\nIt may be possible to track administrative access within the new application but that is\nunknown at this time. A tool is being investigated that will track user data view and that tool\nmay provide additional visibility within the new claims application.        administrator activity\nmonitoring is currently implemented.\n\n\nRecommendation 14\nWe recommend that GEHA address the issues detected by the compliance audit and routinely\nmonitor system software configuration to ensure compliance with established baselines.\n\nResponse - The recent purchase of a security vulnerability scanning tool by the Security\nOperations team gives us the ability to scan configuration settings of individual\nservers once authenticated to the server. Security Operations will work with the Enterprise\nArchitecture to assure that appropriate settings are routinely scanned and addressed. This\nrecommendation should be completed by the end of the fourth quarter of 2012.\n\n\nRecommendation 15\nWe recommend that GEHA implement a process to conduct routine vulnerability scans and\ntrack any identified weakness until they are remediated.\n\n\n\n                                                 6\n\x0cResponse\nA produ ct t o scan syst e ms for vu lne ra bilit ies ha s recent ly been purcha sed and a pro ject ha s\nbeen creat ed t o deve lop processe s for sca nning, notification of findings, risk asse ssment,\nremed iat ion , and re view. The project will focu s on reducing the risk to the or ganizat ion by\nimple men t ing a rout ine vu lne ra bility mon itoring and remed iation program . This\nrec ommendation sho uld be comp leted by the end of the fourth qua rter of 201 2.\n\n\nRecommendation 16\nWe rec omme nd that GEHA instal l t he                                  t hat we re ide nt ified in the\nsca n re sult s and , in the future, improve the          management process to en sure t h a t _\n_ a r e inst alled promptly.\n\nResponse\nGEHA re cogn izes the need a nd importance of deve lop ing and impleme nt ing a .\n                          to iden tify                                  , dete rm ine app licability to\nGEHA syst e ms, and distribute and implement on GEHA syst e ms t o prevent and m inimize the\nrisk of security brea ches and losse s. GEHA is init iat ing a forma l                                  to\nm itigate the risk prese nted by t he                                           . The program w ill be a\ncombinat ion of techn o logy in the form of                        t and deployment softw a re and\nprocesse s to identify, test and deploy softw a re updates followin g a risk-based ma nagement\n\n\n\n-\napproach.\n\n\n\n\n                                                      7\n\x0cRecommendation 17\nWe recommend that GEHA contract with a third party vendor that specializes in\n         vulnerability assessments to conduct a thorough         vulnerability assessment\nof its                         .\n\nResponse\nGEHA is addressing                   vulnerabilities in two different ways. In late 2012, we\nengaged a third-party,            to conduct a comprehensive                      vulnerability\nassessment and penetration test. The scope of the assessment included our\n                                                      . Our IT and Security teams are actively\nremediating issues noted in that assessment. In addition, GEHA is currently redesigning our\n                and Security teams are involved in those discussions to ensure that any open\nvulnerabilities or concerns are addressed in the new design.\n\x0cThe second way we are addressing this issue is the purchase and implementation of\n            Our Information Security Analysts have installed this solution and are currently\nconducting configuring and testing. This tool will be used on a continuous basis to assist\nsecurity in identifying vulnerabilities affecting our infrastructure and will assist in the risk\nranking of those vulnerabilities to drive remediation priorities. The solution will have the ability\nto not only alert security staff to vulnerabilities facing our              e, but also\nvulnerabilities on our                   . We expect to have            fully deployed in our\nproduction environment and identifying vulnerabilities by Q3 of 2012.\n\nWe feel that it is important and we plan to continue engaging a third party to conduct an\nindependent assessment, however due to the addition of our              tool and vulnerability\nmanagement processes, we will be reducing the frequency of those from annually to perhaps\nevery other year.\n\n\nRecommendation 18\nWe recommend that GEHA continue their efforts to upgrade the                    operating system\nto a vendor-supported version.\n\nResponse\nGEHA is continuing the efforts to update the              operating systems to vendor-\nsupported versions. We are working through the         and custom-developed application\ndependencies which require update before the                 operating systems can be updated.\n\nGEHA has also had to procure and implement a new                storage subsystem to allow for\nthe increased capacity needs for the testing environments for process and inter-operability\ntesting.\n\n\nRecommendation 19\nWe recommend that GEHA conduct and document an annual disaster recovery test for the\n                    .\n\nResponse\nGEHA has designed and implemented an secured off-site co-location facility that will function as\nthe disaster recovery site for all               GEHA is currently replicating all\n        data to the site through the use of the        data protection platform.\n\nGEHA is scheduled to perform disaster recovery testing in Q3 of 2012. We have hired a\nManager of Enterprise Risk that will be responsible for working with IT to maintain/update our\nBCP/DR plans to reflect the above changes and to assist in coordinating testing exercises. This\nperson is currently assisting on our claims system conversion and will be joining the Enterprise\nSecurity and Risk Management team in Q3 of 2012. His focus will be BCP/DR and other\nEnterprise Risk Management initiatives.\n\n                                                 9\n\x0cRecommendation 20\nWe recommend that GEHA, in collaboration with         , develop a process to reconcile printed\nchecks.\n\nResponse\nWe have initiated a project with our Project Management Department and have assembled a\nteam to address this recommendation. We plan to coordinate with       and have a\nreconciliation process implemented once we have identified and created the necessary internal\nreporting.\n\nRecommendation 21\nWe recommend that GEHA implement an audit process for the full debarment file.\n\nResponse\nGEHA does currently perform a monthly 3% audit on our full debarment file. However, based\non the recommendation of OPM, we have increased the audit to 100% of the full debarment\nfile effective April 15, 2012.\n\n\nRecommendation 22\nWe recommend that GEHA ensure that comprehensive medical edits are incorporated into the\ndevelopment of the new     claims processing system.\n\nResponse\nOur review of the          System and the new clinical editor has shown that             does not\ncurrently have edits for inpatient hospital claims. This specific claim example would not be\ncaptured in any of the edits. We will investigate the system capabilities of creating the\nconfiguration to assist in up front identification of these claims. There are           edits for\noutpatient hospital claims.\n\nFor the professional claim example, we have test cases developed to review diagnosis to\nprocedure code edits. The system can then be coded to pend, deny, or use a warning message.\n\nWe have not received the latest version of           to test at this time. We will add these\nexamples to our requirements and set up specific test cases to test capabilities to ensure\naccurate processing.\n\nThe OIG finding included the following information \xe2\x80\x93 \xe2\x80\x9cGEHA informed us that for professional\nclaims, clinical edits produce warning messages rather than having hard edits in place to\nprevent the claim from processing. If these claims are submitted electronically, they could be\nbatched and subsequently processed and paid without a processor ever seeing that warning\nmessage.\xe2\x80\x9d\n\n\n\n                                               10\n\x0cGEHA response - GEHA does not allow claims with these Clinicalogic warning messages to pass\nthrough batch, rather they are pended to the adjustor for additional review.\n\n\nRecommendation 23\nWe recommend that GEHA ensure that the appropriate system modifications be incorporated\ninto the      claims processing system to ensure that therapy benefits are limited in\naccordance with the plan brochure.\n\nResponse\nGEHA agrees with the recommendation to ensure this is addressed in the conversion to\nHowever, between now and the time of conversion to          we have implemented interim\nprocedures in the Claims Department to adjudicate claims correcting the calculation of time\nper visit.\n\n\nRecommendation 24\nWe recommend that GEHA ensure that the appropriate system configurations are made to\n      to prevent duplicate payments for claims with overlapping dates of service.\n\nResponse\nGEHA agrees with the recommendation and will explore the system configuration available in\n      to ensure accurate claim processing.\n\n\nRecommendation 25\nWe recommend that GEHA implement procedures to ensure that OBRA90 claims are priced\nwith the correct version of the\n\nResponse\nGEHA agrees with the recommendation and is taking steps to ensure that the adjusters have\naccess to the most current version of the OBRA 90 Pricer before claims processing. This will\ninclude working more closely with the IT area to ensure timely loading of the current version,\nwhile considering whether claims may need to be held in the interim to prevent claim payment\nissues.\n\n\nRecommendation 26\nWe recommend that GEHA ensure that the appropriate system configurations are made to\n        to ensure that a reduced manual effort is required by claims adjudicators to process\nclaims.\n\n\n\n\n                                               11\n\x0cResponse\nGEHA is exploring every o pport unity to reduce manual processes. Conve rSion to th ~\nsyste m will fa cilitate our goa ls in t his area . While our conversion to    s st ill in the \xc2\xabbuild\'\nphase. we have alread y ident ified seve ral area s of opportunity where redu ced manu al effort\nwill be realized\n\n    \xe2\x80\xa2\t With t he addition 0                                  e expect improvements in automated\n\n       hospital and anesthesia processing.\n\n    \xe2\x80\xa2\t We will be using reve nue coding which is required by some PPO netw orks. This will be\n\n       loaded from t he elect ronic claim and added t o t he processes In our data e ntry area .\n\n       With thi s information, pricing can be applied through ~ lIo w i n g more claims to\n\n        autc-adjudlcate .\n    \xe2\x80\xa2\t For PPO USA hospitals and facilities that use a complex rate, they will be priced with\n       ~nd avto-adludicate d.\n    \xe2\x80\xa2\t Authorizat ions for hospital st ays wiD be loaded into _        and then matched to the\n                                                                                                         II\n       specific cla im they represent. This will red uce man ual review of the autho rization and\n       allow auto -adjudtcanon of hospital n ays and outpane nt services.\n                                                                                                         i\n    \xe2\x80\xa2\t ASAcodes and th e associated units are also being loaded into the pricing software, as\n       we llas confi guratio n of t he time units, so that auto-calcutatlon can be performed.\n                                                                                                         i\n    \xe2\x80\xa2\t National Co nt racts pricing is also loaded in _\n       req uired toda y.\n                                                                 reducing th e manual pricing that is\n                                                                                                         I\nConclusion                                                                                               I\nWe are disappointed in th e resu lts ofthe audit, howe ve r we were making progre ss to update\nand improve our informat ion syste ms infrastru ctu re. We have filled several key positions\nwit hin the last yea r to expand ou r expertise and have add ed staff t o address weaknesses that\nwe re note d in the OIG\'s re port. Prior to th e sta rt of the audit we forme d an Enterprise Security\nand Risk Man ageme nt Department tha t is inde pende nt of the IT Depart ment and reports\ndirect lyto me. The Enterp rise Security and Risk Manageme nt Departm ent is res ponsible for\nesta blishing security policies, assessing vulnerabilities a nd working with Information Systems\nmanageme nt to remediete weaknesses in internal controls.\n\nWe thank you an d yo ur st aff for your assistance in identifying the are as needing improvement\nand we are working diligentlyto resolve t hese issues.\n\nSince re ly,\n\n\n\n\nRicha rd G. Miles\nPreside nt\n\n\n\n\n                                                   "\n\x0cAttachments: Audit Report Draft\n\nCC:\t                 , Chief of Health Insurance II Insurance Operations\n                         , Chief of Program Planning and Evaluation\n       Eileen Hutchinson, GEHA VP - CFO\n                       GEHA VP \xe2\x80\x93 Claims\n                  GEHA VP \xe2\x80\x93 Enterprise Security and Risk Management\n                   GEHA Manager of Internal Audit\n\n\n\n\n                                              13\n\x0c'